Critical Capabilities for Mobile Device Management

Transcription

1 G Critical Capabilities for Mobile Device Management Published: 8 August 2012 Analyst(s): Monica Basso, Phillip Redman Mobile device management offerings are expanding from traditional configurations, policy management, IT administration and reporting to deeper security with containerization, mobile application management and enterprise content management. Key Findings The integration of native APIs on ios and Android enable corporate containerization in native clients, with encryption, selective wipe and data loss prevention (DLP). containerization on Android is possible also by third-party clients. Windows Phone (WP) has no API yet, making its management more difficult. The containerization of individual applications and files through policy wrapping locks down selected corporate content, avoiding restrictions to the user experience with native applications. Enterprise file distribution, sharing and syncing functionalities, associated with secure and managed folders at rest on devices, and private or public cloud services on the back end, are emerging as a new trend in many mobile device management (MDM) offerings. As-a-service MDM offerings are growing in the market, and are increasingly being adopted by organizations because of their greater flexibility, scalability and cost-effectiveness, compared with on-premises deployments. Recommendations Prioritize MDM requirements around consumer mobility and bring your own device (BYOD) deployments in the next two years, focusing on mobile application management (MAM), application containerization and enterprise content management. Prepare for MDM support across multiple device OS platforms, planning for an increase in Android use in the next 12 months. Keep Windows on the radar screen as well, as a range of new smartphones, media tablets and innovative form factors may hit the market in the coming months.

2 Before MDM vendor/product selection, focus on mobility requirements, security and compliance constraints, and mobile user segmentation, and identify the range of policies needed to regulate new deployments. Select the MDM option that best supports your policies, considering not only features and technology, but also viability (e.g., delivery models and support). What You Need to Know The core capabilities of MDM, such as provisioning, policy enforcement, asset management, administration and reporting, are commoditizing across multiple offerings, and increasingly appear similar. However, differentiation is growing in new areas, such as containerization, MAM and enterprise content management, driven by a great demand for consumer mobility and BYOD adoption. Analysis This research provides quantitative ratings for a selection of enterprise MDM offerings, and evaluates them across seven critical capabilities in four typical use cases. (This research complements "Magic Quadrant for Mobile Device Management Software," which covers vendors and their relative positions in the market.) Enterprises should use this research, with its product ratings on critical capabilities in different use cases, to identify the most suitable MDM products and services for their context. Consumer mobility and BYOD programs are top priorities for most organizations in A range of new IT challenges from security, compliance and management to cost and human capital management hits organizations that often are forced to rapidly make investments in MDM products and services to enforce policies, regulate behaviors, contain costs and manage risks across device platforms. Thus, the MDM market has been growing, and will continue to grow in 2012, with the market size estimated at over $500 million, and more than 100 players. The level of demand and the fierce competition among these players are driving commoditization in this market. Traditional MDM capabilities, such as provisioning, policy enforcement, asset management, administration and reporting, are beginning to standardize across multiple offerings that increasingly provide similar capabilities. This increasingly drives price competition, and forces players to differentiate in new areas. Growing differentiation is developing in application and document containerization, MAM and enterprise content management, driven by a great demand for consumer mobility and BYOD adoption. Containerization remains a paramount capability for highly regulated organizations under strong security and compliance requirements, which necessitates the separation of corporate and personal content on devices. The original approach of complete corporate containerization, provided by Good Technology, locks down the corporate footprint, with total separation of business from personal content. Managing the corporate container, instead of the device, grants isolation and protection of corporate content, with no restrictions on personal usage. However, native Page 2 of 47 Gartner, Inc. G

3 clients and browsers are not available in the container, which could affect user acceptability. In addition, a growing range of products now offers less granularity in containerization for individual applications, folders and files (see Figure 1). These products provide software development kits (SDKs) to enforce credentials, encryption and other policies through application wrapping. They are commercially available in offerings from AirWatch, BoxTone and Symantec, but more vendors are due to launch these capabilities later in Figure 1. Heavyweight Versus Lightweight Management Styles Source: Gartner (August 2012) MAM is becoming increasingly important, as IT organizations need to deploy third-party and inhouse-developed applications to their mobile workforce. Software updates, public app store content blacklisting and enterprise app stores are progressively supported in MDM products. AirWatch, MobileIron and Zenprise currently have the most complete offerings. Enterprise file synchronization and sharing capabilities are needed, due to the growing adoption of media tablets, such as the ipad, and due to the availability of personal cloud services, such as Dropbox, icloud and Google Drive, which enable mobile workers via increased productivity, but could represent security and compliance threats. Some players, such as AirWatch and Fiberlink, already provide secure file management capabilities natively; others do this through partners such as Box and Accellion. More MDM vendors will launch these capabilities in future releases. Another important element of differentiation is the as-a-service delivery model, which gives enterprises more flexibility, scalability and cost-effectiveness. While many vendors have launched Gartner, Inc. G Page 3 of 47

4 as-a-service offerings in the past 12 months, AirWatch and Fiberlink have the most mature offerings and experience. More organizations are considering cloud-based MDM services, because they are more economical and flexible. One area where most MDM products still lag behind others is integration with PC configurations and management capabilities, as they focus predominantly on MDM. Exceptions are represented by products from IBM and Fiberlink. Lack of support across the full spectrum of mobile and client computing is a limitation for most IT organizations that aim to manage smartphones, media tablets and PCs in more integrated and efficient ways. We expect to see more convergence in the coming months in mobile and PC/system management. IT organizations struggle to identify the right options for investment. The large number of offerings with a lack of differentiation in basic management capabilities confuses buyers, and complicates investment decisions. One major area of differentiation among MDM offerings is their technical approach to management: Lightweight MDM: Server-side product and service offerings may (or may not) have a small mobile agent running on the device, and/or may integrate the mobile OS platform's native APIs or Microsoft Exchange ActiveSync [EAS] client implementation, but may not have a complete mobile management client on the device. These offerings can be used with native mobile support in corporate servers (e.g., EAS in Microsoft Exchange Server or Lotus Notes Traveler in Lotus Notes and Domino) to enforce complementary policies, working with the device's native client. However, they manage the device entirely, enforcing policies (e.g., on acceptable use, or application blacklists) that apply to the device anytime, including during personal usage. This may be a drawback in BYOD programs where extensive policies need to be enforced for business use. Relevant vendors include MobileIron, Zenprise and Fiberlink. Extended Lightweight MDM: Additional capabilities (through SDKs) are provided to enforce policies on applications, such as credentials, encryption and DLP. AirWatch, BoxTone (through Mocana) and Symantec (through Nukona) currently provide these capabilities through SDKs that recompile third-party or in-house applications to enforce policies such as credentials, encryption and limitations, and data sharing with other applications. More vendors are expected to launch these capabilities in future releases. Heavyweight MDM: Client-side management software is available for every relevant mobile OS platform (whether stand-alone or blended with a proprietary client). The management client can enforce strong IT control on the device, including a full corporate container with encryption, selective wipe and DLP. Good Technology is the leading vendor taking this approach. Other vendors not covered in this research include Excitor and Little Red Wagon Technologies. This approach enforces complete separation between corporate and personal footprints on the device, offering smoother support for BYOD programs, because users have no limitation of use outside the container, and compliance can easily be proved in audits anytime. EAS alone is insufficient to manage mobile devices, despite the minimum set of policies provided, because it is not consistent across mobile platforms, does not detect jailbreaks, and cannot enforce device- or OS-level policies (it focuses only on ). Page 4 of 47 Gartner, Inc. G

5 Before conducting MDM product selection analysis, organizations must identify the risks and benefits of introducing support for corporate applications on personal devices. They then need to identify the IT policies required to control deployments, manage risks and support users. They also must choose the appropriate management approach, and products and services, that will help enforce the policies in a cost-effective way. Product Class Definition Gartner defines MDM as a range of products and services that enables organizations to deploy and support corporate applications to mobile devices, such as smartphones and tablets, enforcing policies and maintaining the desired level of IT control across multiple platforms. Mobile devices may be corporate and personal assets, as in BYOD programs. Areas of functionality include provisioning and decommissioning, inventory management, application management and security. The primary delivery model is on-premises, but MDM can also be offered as software as a service (SaaS), or through the cloud. See "Magic Quadrant for Mobile Device Management Software" for a complete description of the market, and the vendors delivering such products or services. This research focuses on a subset of commercial offerings in the market, encompassing the products and services that get the most attention and requests for advice from Gartner's client base. We highlight the capabilities and viability of these products. Critical Capabilities Definition The growing demand for MDM by IT organizations has motivated a large number of technology providers to enter the market with MDM offerings. These products and services enable IT organizations to maintain control, automate management and minimize risks, while delivering consumer mobility to the workforce. Regarding basic management functionalities (e.g., provisioning and inventory management), most offerings are progressively becoming similar, with little differentiation among competing vendors. They differentiate instead on enhanced capabilities, such as containerization, application management, document sharing and the cloud delivery model. This research examines seven critical capabilities that differentiate competing MDM products in different use cases: Policy enforcement and compliance Security Containerization Application management Document sharing and management Scalability As-a-service and cloud delivery models Gartner, Inc. G Page 5 of 47

6 Detailed information about each critical capabilities follows: Policy enforcement and compliance: This varies in capability by mobile OS, but includes: Enforce policies on eligible devices: Detect and enforce OS platforms and versions, installed applications and manipulated data. Detect ios jail-broken devices and rooted Android devices. Filter (restrict) access from noncompliant devices to corporate servers (e.g., ). Restrict the number of devices per user. Enforce application policies: Restrict downloadable applications through whitelists and blacklists. Monitor access to app stores and application downloads, put prohibited applications on quarantine, and/or send alerts to IT/managers/users about policy violations. Monitor access to Web services, social networks and app stores, send alerts to IT/ managers/users about policy violations, and/or cut off access. Enforce mobile communication expense policies in real time: Monitor roaming usage. Detect policy violations (e.g., international roaming), and take action if needed (e.g., disable access to servers, and/or send alerts to IT/managers/users about policy violations). Enforce separation of personal versus corporate content: Manage corporate applications on personal devices, and personal applications on corporate devices. Tag content as personal or corporate through flags. Detect separation violations, and send alerts to IT/managers/users if needed. If a container is in use, prohibit exporting data outside the container (e.g., when opening an attachment), and regulate interactions among different enterprise containers. Restrict or prohibit access to corporate servers (e.g., to servers and accounts) in case of policy violations. Security: This is a set of mechanisms to protect corporate data on a device and corporate back-end systems, and to preserve compliance with regulations: Password enforcement (complexity and rotation) Device lock (after a given time of inactivity) Page 6 of 47 Gartner, Inc. G

7 Remote wipe, selective remote wipe (e.g., only corporate content), and total remote wipe (e.g., a hard wipe, with data not recoverable after deletion) Local data encryption (phone memory and external memory cards) Certificate-based authentication (includes device ID, OS version and phone number), and certificate distribution Monitoring devices, and data manipulation on devices Rogue application protection (e.g., application quarantine) Certifications (e.g., Federal Information Processing Standard [FIPS] 140-2) Firewalls Antivirus software Mobile virtual private network (VPN) Message archiving (SMS, IM, , etc.) and retrieval, and recording of historical events for audit trails and reporting Containerization: A set of mechanisms to separate corporate from personal content (data and applications) on devices. What differentiates the level of support for containerization in various products is the granularity of control, isolation and protection enforced through the policies. This can span simple applications and files, to the complete corporate footprint hosted in the corporate container, and can create a dual-persona device user experience. The strongest implementation includes a full corporate container with proprietary applications, such as the client and browser, as well as third-party and in-house applications developed through ad hoc SDKs, to make them part of the container. Additional methods include a container limited to proprietary applications, such as , calendars and contacts, and the browser. Methods can include smaller-granularity containers limited to one application or document. A number of policies can be enforced on the container to control the corporate footprint, such as: Local data encryption Selective remote wipe Data leakage prevention (no data is exported from the container, and there are cut-andpaste prohibitions) Controlled communication among containers Dual personas Application management: A set of mechanisms for over the air (OTA) software upgrades, application inventory and distribution, such as: Application discovery and private app store Gartner, Inc. G Page 7 of 47

8 Apple Volume Purchase Program, or other enterprise volume purchasing program integration Software updates for applications or OSs Patches/fixes Backup/restore Background synchronization Document sharing and management: A set of mechanisms to support file synchronization and sharing, file distribution, and secure and manageable folders on mobile devices with policy enforcement: File synchronization and backup, transparent to the user File sharing with other employees, or among applications File distribution to a group of users, and those that are time sensitive Security and management policy enforcement Scalability: Of MDM deployments in mass volume: Platform scalability for over 20,000 units supported High-availability and disaster recovery techniques As-a-service and cloud delivery models: Ease of installation Pricing policies per user (as opposed to per device) rated higher Use Cases This research identifies the four typical use cases discussed in Gartner client inquiries. These cases highlight the differences among selected products/services, and rate them differently under specific conditions. Case 1 Regulated Deployments: These organizations operate in severely regulated sectors, such as financial services, healthcare, military and defense, and government, that must be compliant anytime with sectorspecific regulations, such as the U.S. Health Insurance Portability and Accountability Act (HIPAA), and must pass periodical audits. These organizations have a strong focus on security and control, e.g., for culture or market competition. These organizations often aim to support BYOD programs with personal and corporate devices. Page 8 of 47 Gartner, Inc. G

9 In all cases, strong IT security and control requirements include local data encryption for corporate information, certificate-based authentication, and isolation of corporate from personal content. Case 2 Flexible Deployments: These organizations operate in nonregulated sectors (e.g., retail and delivery services) that do not require a complete corporate lockdown on devices, and can live with basic security and management support. BYOD programs often are required, in addition to supporting corporate devices. Employees are required to work with native applications, such as a native client and browser. Provisioning, inventory and policy enforcement extended to the entire device is a management priority. There is little or no demand for containerization. Case 3 Agile Deployments: These organizations operate in nonregulated sectors, planning to manage mobility through third-party service providers, rather than by deploying an on-premises infrastructure. Organizations aim to contain or optimize mobility costs, or to avoid big upfront costs. Organizations plan to support a small number of mobile users initially, and to grow incrementally over time to midsize and large deployments. BYOD programs often are required, in addition to supporting corporate devices. Case 4 Mass Deployments: These are large-scale deployments, from more than 20,000 up to hundreds of thousands, with related requirements for high availability, disaster recovery, quality of service, etc. There is a need to monitor and control end-to-end mobile deployments. The third and fourth use cases are not necessarily mutually exclusive of the first and second. A regulated organization may also look for agile or mass deployments. However, in this research, we want to capture the most common scenarios requiring MDM investment decisions to highlight the product capabilities. Clients that are comfortable with the security/compliance/containerization capabilities of vendors on their shortlists, but have doubts about scalability, should focus on Case 4 to assess their mass deployment capabilities. Case 3 is a likely fit for organizations that have initial experience with mobility, and Case 4 will work for organizations that already have mobility experience, and are about to scale up to big deployment volumes. Case 1 and 2 focus on the level of control and lockdown needed, and are mutually exclusive. Table 1 shows the weighting for all use cases in this research. Each use case weighs the capabilities individually based on the needs of that case, which impacts the score. Each vendor Gartner, Inc. G Page 9 of 47

10 may have a different position based on its capability and the weighting for each. The overall use case is the general scoring for the vendor's product, with all weights being equal. Page 10 of 47 Gartner, Inc. G

12 Inclusion Criteria This research considers the selection of MDM products and services offered by vendors included in "Magic Quadrant for Mobile Device Management Software." Please refer to the Magic Quadrant for a complete description of the market and vendors. Given the large number of players in this market (20 vendors were covered in the Magic Quadrant), we have chosen to restrict our analysis to offerings that gain the most interest during our interactions with Gartner clients, are visible on shortlists, and are largely considered leaders or challengers based on size, revenue or product portfolio. These include products and services provided by AirWatch, BoxTone, Fiberlink, Good Technology, MobileIron, SAP, Symantec and Zenprise. Vendors not included in this research are still valid options for consideration (see "Magic Quadrant for Mobile Device Management Software"). While most vendors specialize in management for smartphones and tablets, a subset provides specific capabilities to manage fleets of ruggedized devices (on Windows CE or Windows Mobile), including Soti, Odyssey Software (now part of Symantec), Wavelink and Motorola. We do not consider these vendors in a separate use case, because specialized management tools for ruggedized devices generate limited Gartner client inquiries for those with fairly mature OSs. For completeness, we provide the list of criteria we used to qualify vendors for inclusion/exclusion in "Magic Quadrant for Mobile Device Management Software:" Support for enterprise-class (noncarrier), multiplatform support MDM: Software or SaaS, with an emphasis on mobility Specific MDM product focus and feature set, or a primary focus on MDM in another product set (messaging or security) Security management, with at least these features: Enhanced abilities to download, monitor and revoke certificates for , applications, Wi- Fi, VPNs, etc. Enforced passwords Device wipe Remote lock Audit trail/logging, including the ability to verify device configurations from a central console Jailbreak/rooted detection At least three mobile OS platforms supported Policy/compliance management Software management, with at least these capabilities supported: Application downloader the ability to push or pull applications on a mobile device Page 12 of 47 Gartner, Inc. G

13 Application verification the ability to verify the origin of mobile applications Application update support Application patch support App store support the ability to list and manage enterprise and third-party applications Hardware management, with at least these capabilities supported: External memory blocking blocks all use of flash memory cards, and other external memory Configuration change history audits and trails for any changes made for hardware At least 75,000 licenses sold Five referenceable accounts No more than 70% of revenue in one main geographic region or market At least $1.5 million in MDM-specific revenue General availability by the middle of 1Q12 Critical Capabilities Rating Each product or service that meets our inclusion criteria has been evaluated on several critical capabilities (see Table 2 and Figure 2), on a scale from 1.0 (lowest ranking) to 5.0 (highest ranking). Gartner, Inc. G Page 13 of 47

17 Product viability is distinct from the critical capability scores for each product. It is our assessment of the vendor's strategy, and the vendor's ability to enhance and support a product throughout its expected life cycle; it is not an evaluation of the vendor as a whole. Four major areas are considered: strategy, support, execution and investment. Strategy includes how a vendor's strategy for a particular product fits in relation to the vendor's other product lines, its market direction and its business overall. Support includes the quality of technical and account support, as well as customer experiences with that product. Execution considers a vendor's structure and processes for sales, marketing, pricing and deal management. Investment considers the vendor's financial health and the likelihood of the individual business unit responsible for a product to continue investing in it. Each product is rated on a five-point scale, from poor to outstanding, for each of the four areas, and it is then assigned an overall product viability rating. Table 4 shows the product viability assessment. Gartner, Inc. G Page 17 of 47

Scalable, secure, and integrated device management Data Sheet: Endpoint Management and Mobility Overview The rapid proliferation of mobile devices in the workplace is outpacing that of any previous technology

Scalable, secure, and integrated device management Data Sheet: Endpoint Management and Mobility Overview The rapid proliferation of mobile devices in the workplace is outpacing that of any previous technology

MaaS360 FAQs This guide is meant to help answer some of the initial frequently asked questions businesses ask as they try to figure out the who, what, when, why and how of managing their smartphone devices,

The ForeScout Difference Mobile Device Management (MDM) can help IT security managers secure mobile and the sensitive corporate data that is frequently stored on such. However, ForeScout delivers a complete

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION Response Code: Offeror should place the appropriate letter designation in the Availability column according

What We Do: Simplify Enterprise Mobility AirWatch by VMware is the global leader in enterprise-grade mobility solutions across every device, every operating system and every mobile deployment. Our scalable

Securing Office 365 with MobileIron Introduction Office 365 is Microsoft s cloud-based productivity suite. It includes online versions of Microsoft s most popular solutions, like Exchange and SharePoint,

Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features

Scalable, secure, and integrated device management for healthcare Data Sheet: Industry Perspectives Healthcare Overview The rapid proliferation of mobile devices in the workplace is outpacing that of any

Scalable, secure, and integrated device management Data Sheet: Endpoint Management and Mobility Overview The rapid proliferation of mobile devices in the workplace is outpacing that of any previous technology,

WHITEPAPER A guide to enterprise Beyond expectation. www.azzurricommunications.co.uk Introduction. As smartphones and tablets proliferate in the enterprise, IT leaders are under pressure to implement an

Good for Enterprise Good Dynamics What are Good for Enterprise and Good Dynamics? 2012 Good Technology, Inc. All Rights Reserved. 2 Good is far more than just MDM Good delivers greater value and productivity

Mobile Device Management- What to Know, What to Do Michael F. Finneran Principal, dbrn Associates, Inc. mfinneran@dbrnassociates.com Mobile Policy Development What you really need is a mobility plan- possibly

Mobile First Government An analysis of NIST and DISA requirements for the adoption of commercially available mobility platforms by government agencies August 2013 415 East Middlefield Road Mountain View,

CHOOSING AN MDM PLATFORM Where to Start the Conversation Whitepaper 2 Choosing an MDM Platform: Where to Start the Conversation There are dozens of MDM options on the market, each claiming to do more than

Whitepaper Choosing an MDM Platform Where to Start the Conversation 2 Choosing an MDM Platform: Where to Start the Conversation There are dozens of MDM options on the market, each claiming to do more than

Advanced Configuration Steps After you have downloaded a trial, you can perform the following from the Setup menu in the MaaS360 portal: Configure additional services Configure device enrollment settings

Mobile device and application management Speaker Name Date 52% 90% >80% 52% of information workers across 17 countries report using three or more devices for work* 90% of enterprises will have two or more

Mobile Device Management Buyers Guide IT departments should be perceived as the lubricant in the machine that powers an organization. BYOD is a great opportunity to make life easier for your users. But

MobileIron for ios Mobile technology is driving a massive shift in the ability of IT to support the way people want to work. The adoption of smartphones and tablets has transformed the way users interact

SA Series SSL VPN Virtual Appliances Data Sheet Published Date July 2015 Product Overview The world s mobile worker population passed the 1 billion mark in 2010 and will grow to more than 1.3 billion by

WHITE PAPER Secure Enterprise Data in a BYOD World Sponsored by: Excitor Jason Andersson January 2013 IDC OPINION As consumerization trends continue to accelerate in the enterprise, there is growing interest

Cisco Mobile Collaboration Management Service Cisco Collaboration Services Business is increasingly taking place on both personal and company-provided smartphones and tablets. As a result, IT leaders are

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally

Healthcare Buyers Guide: Mobile Device Management Physicians and other healthcare providers see value in using mobile devices on the job. BYOD is a great opportunity to provide better and more efficient

White Paper Real-World Scale for Mobile IT: Nine Core Performance Requirements Mobile IT Scale As the leader in Mobile IT, MobileIron has worked with hundreds of Global 2000 companies to scale their mobile

Vodafone Total Managed Mobility More productivity, less complexity Vodafone Power to you What s inside? What you get see how your business benefits 4 In detail find out how it all works 5 Service lifecycle

2 The Future of Mobile Computing when you re at a desk Our vision: We see a world where Mobile Computing unleashes boundless opportunity. We believe in a world where you only need one computer The Opportunity:

The Maximum Security Marriage: Mobile File Management is Necessary and Complementary to Mobile Device Management The bring your own device (BYOD) trend in the workplace is at an all-time high, and according

[ Managing Mobile Devices in the Enterprise James Naftel [ Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation